I have tested it on 4-2 branch and it works as expected, ACK.
Obviously, master branch would require a different patch.

I actually missed your check in ipaserver/install/kra.py which can
break ipa-replica-install with --setup-kra, so NACK.

Updated patches attached.

NACK on the master-branch patch.
You forgot a 'return' in this code snippet:
+ if self.installing_replica:
+ domain_level = dsinstance.get_domain_level(api)
+ if domain_level > DOMAIN_LEVEL_0:
+ self.options.promote = True
+ return
that would make installation abort when domain level is greter than zero.